1. Field of the Invention
The invention is directed to a method for operating as a digitally printing postage meter machine so as to generate and check a security imprint.
2. Description of the Prior Art and Related Application
Postage meter machines can be especially efficiently utilized for franking mail pieces from a moderate to a high number of letters or other postal items to be sent. Differing from other printer devices, a postage meter machine is suitable for the processing of filled envelopes, even envelopes having very different formats. The printing width, however, is limited to the width of the franking imprint. When any of the "terms" letter or "mail piece" or "print carrier" is used below, this, of course, includes all kinds of envelopes or other recording media. Postal matter, file cards, labels or self-adhesive labels of paper or similar material can be employed as a recording medium.
Modem postage meter machines employ fully electronic digital printer devices. For example, the postage meter machine T1000, which is commercially available from Francotyp-Postalia, employs a thermal printing mechanism. It is fundamentally possible to print arbitrary texts and special characters in the postage stamp printing area with this device. The thermal transfer postage meter machine disclosed in U.S. Pat. No. 4,746,234 has a microprocessor and is surrounded by a protected housing which has an opening for the letter feeding. A mechanical letter sensor (microswitch) communicates a print request signal to the microprocessor relating to information about the position of the letter when it is fed. The microprocessor then controls the drive motors and a thermal transfer print head. An encoder communicates a signal derived from the inked ribbon transport of the thermal transfer to the microprocessor as information about the letter transport movement. The postage printing is done column-by-column.
German OS 196 05 014 discloses an embodiment of a printer device (JetMail.RTM.) that implements a franking imprint with an ink jet print head stationarily arranged in a recess behind a guide plate, given a non-horizontal, approximately vertical letter transport. Fully electronic digital printing is possible in non-contacting fashion with this device. A print sensor for recognizing the start of the letter is arranged shortly before the recess for the ink jet print head and interacts with an incremental sensor. The letter transport is possible without slippage due to pressure elements arranged on a conveyor belt.
A security system disclosed in U.S. Pat. No. 4,949,381 employs imprints in the form of bit maps in a separate marking field under the postage meter machine stamp. Although the bit maps are especially densely packed, the stamp image is reduced in height by the height of the marking field due to the size of the marking field that is still required. Too much of the printing area that could otherwise be used for advertizing slogan data or other data is thus lost. Of course, a high-resolution print head is relatively expensive. The high-resolution recognition means required for the evaluation of the marking is also disadvantageous.
Since the representation of a one-dimensional bar code or line code would require comparatively much space, an ID matrix code has also already been proposed. Another proposal was described in Technical Report Monograph 8, Symbol Technologies, April, 1992 and in European 439 682 and is directed to a PDF 417 symbolism.
The postal regulations usually define a width of about 1 inch for the franking field. Initial estimates yield a data storage possibility of a maximum of 400 bytes per square inch. Even if a print head and, a scanner were developed with corresponding resolution, this maximum dataset could not be achieved in the imprint in practice for the mail handling. The probability of scan errors increases with the amount of scanned data. Given higher printing resolution, a contamination of the letter surface can lead to an error, even without an electronic or scanning error. A certain redundancy of the data is therefore advantageous, but this reduces the number of usable bytes. A further disadvantage is that any bar code can only be checked by machine, i.e. it cannot be additionally manually checked. Consequently, about half the printing width (1/2 inch) would have to be made available for the conventionally, visually readable data. If the other half is then used for the machine-readable code, only 30 bytes, i.e. approximately 60 digits out of the total amount of information, can be reproduced in a reliably readable fashion, for example with the aforementioned JetMail.RTM.. Given a low print resolution, details are represented with less precision, and thus a lower number of digits can be represented.
In 1996, the U.S. Postal Service issued a request catalog with requirements made for the design of future, secure postage meter machines (information-based indicia program IBIP). It is suggested therein that specific data be cryptographically encoded and be printed on the letter to be franked in the form of a digital signature with reference to which the U.S. Postal Service can authenticate franking imprints. According to estimated particulars, an annual loss of approximately $200 million due to fraud is incurred by the U.S. Postal Service. Distinctions in these requirements have been made according to the type of franking means. Traditional postage meter machines, which usually only print a franking stamp (red), are referred to as "closed systems". Differing from such "closed systems" in PC franking systems, the corresponding letter address need not be incorporated into the crypto-encoding. When producing the letter, a letter recipient address (black) comprising the street address and a numerical code (zip to zone) can be printed on the cover with a standard printer. The recipient address, represented as a numerical code, is scanned with an optical character reader (OCR) in the mail centers and is printed onto the envelope in machine readable form as bar code (orange) for the mail distribution systems. Consequently, there is no link of the franking imprint to a specific letter recipient address. A potential counterfeiter, who does not frank at the postage meter machine but makes color copies of a letter having the same weight, will only be noticed within the postal system, i.e. in the post office, if all imprints are scanned and informationally stored in a data base, and if a comparison to all stored imprints is undertaken prove the uniqueness of the franking imprint, in order for the franking to be recognized as a valid original. The expenditure at the postal side for a complete archiving of all imprints and the implementation of a comparison under real-time conditions, however, would be enormous. When inspections at the postal side are only possible in the form of spot checks for expenditure reasons, there is a certain probability that a counterfeit will remain undetected.
European Application 660 270 discloses two measures for security, namely an evaluation method for identifying suspect postage meter machines in the data center that monitors the electronic recrediting, and a check of the mail pieces in the post office or in an institution authorized to carry out such a check. The possibility of producing unauthorized color copies can be at least limited in terms of time by employing time/date data as a monotonously continuously variable quantity, which is used to vary the printed data. A postage meter machine that exhibits odd behavior or irregularities, for example that has not had any contact with the data center for some time, is considered suspect. The data center reports suspicious postage meter machines to the postal authority, which then undertakes a targeted inspection of the mailings from that machine. A method and an arrangement for generating and checking a security imprint with a sequence of marking symbols is also disclosed. The graphics of the print format can be arbitrarily modified with a program modification of the postage meter machine. In addition to the traditional, visually readable data printed in open form, a sequence of marking symbols is also printed with the same print head, so that the print format can be manually checked by a postal employee, and can also be machine-interpreted. The print format can be modified as needed not only by insertable slogan text parts, but also by changing the marking from imprint to imprint due to the monotonously continuously variable quantity, thus making a mail piece printed in this way unmistakable. All critical data and the monotonously continuously variable quantity are compiled as a combination number and are then encoded and also subsequently converted into the aforementioned sequence of marking symbols. As a result, relatively little space is required for such a sequence of marking symbols compared, for example, to a bar code. By means of a suitable reader in one of the evaluation embodiments, the markings are automatically entered into a computer that is in communication with the data center. The marking is converted back into a crypto-number. Separately therefrom, traditional, visually (human) readable data printed openly are scanned with an OCR scanner in order to form a comparison crypto-number using a particular quantity, a computer in the postal system being informed of the quantity by the data center. The verification is done in the computer in the postal system by comparing the aforementioned crypto-number to the aforementioned comparison crypto-number. A recovery of franking information from the crypto-number is thereby no longer in the scope, and it is adequate when the marking allows a verification of the data printed on the mail piece. Given such a symmetrical encryption method, however, the encrypted message could fundamentally be encrypted by anyone who gains access to the same private key with which the message was encrypted.
Co-pending U.S. application Ser. No. 08/798,604 ("Method and Arrangement for Generating and Checking a Security Imprint"), filed Feb. 11, 1997 discloses a specific private key method for which the aforementioned evaluation embodiment that was additionally mentioned in European Application 660 270. The private key is stored in a secure data base at a verification location, which is typically present at the postal authority, and is thus kept secret. A data authentication code (DAC) is formed from the message, this corresponding to a digital signature. The data encryption standard (DES) algorithm disclosed in U.S. Pat. No. 3,962,539 is thereby applied, this being described in FIPS PUB 113 (Federal Information Processing Standards Publication). The symbols of the marking symbol sequence of the digital signature are digits in the aforementioned co-pending application, possibly with additional special characters. The openly printed information and the digital signature in the OCR-readable section of the print format can thus be read visually (human) and by machine.
The best known asymmetrical crypto-algorithm is the RSA algorithm of U.S. Pat. No. 4,405,829, which was named based on the names of its inventors, R. Rivest, A. Shamir and L. Adleman. As is known, the receiver decrypts an encrypted message with a private key, this encrypted message having been encrypted at the transmitter with a public key. RSA was the first asymmetrical method that was also suitable for producing digital signatures. The RSA algorithm, however, like other digital signature algorithms (DSA), uses two keys, with one of the two keys being public. The implementation of the RSA algorithm in a computer, however, yields an extremely slow processing time and produces a long signature. Due to the length of the digital signature produced, an overly large imprint that digitally printing postage meter machines could not supply with a standard print head would be generated, even using a corresponding symbolism (ID matrix, PDF 417 and others).
A digital signature standard (DSS) has been developed that supplies a shorter digital signature and that includes the digital signature algorithm (DSA) of U.S. Pat. No. 5,231,668. This development ensued proceeding from the identification and signature of the U.S. Pat. No. 4,995,085 and proceeding from the key exchange according to U.S. Pat. No. 4,200,770 or from the El Gamal method (El Gamal, Taher, "A Public Key Cryptosystem and a Singular Scheme Based on Discrete Logarithms", 1 III Transactions and Information Theory, vol. IT-31, No. 4, Jul. 1985). Such a secret, private key, however, is difficult to protect against theft from a computer.
Message authentification codes (MAC) can be generated with a symmetrical crypto-algorithm, and digital signatures for authentification can be generated with an asymmetrical crypto-algorithm. Given the symmetrical crypto-algorithm, the advantage of a relatively short MAC contrasts with the disadvantage of a single private key. Given the asymmetrical crypto-algorithm, the advantage of employing a public key contrasts with the disadvantage of a relatively long digital signature.